Th The Fu Futur ure Is Is He Here e - Mode dern rn Attack ttack Sur urface ace On On Au Automotiv omotive Lior Yaari 28/11/2019
Techy Trainer at DeepSec 7 Years In Cyber Security Vulnerability Researcher Sec-Dev CS Teacher Consultant Casual Cool Born In Studying Jerusalem German Hobby
Building Security End to End Breaking through Bypassing ECU Products Security Testing the cloud or factory protections IDS IPS Automotive SOC Vehicle Security Research Prevention Concepts
Disclaimer As part of our job with CYMOTIVE we are working closely with several automotive companies and because of that many of our findings are under NDA. We will not include ANY customer names and real issues which can cause any harm and focus more on the tech side * All photos in this presentation are from open sources found on the internet
Progress Bar • Who I Am • Automotive Past & Future • Connected Technologies • Centralized Management
Automotive Main Trends LiDAR NFC SLAM Wifi V2X PLC GPS Thermo Bluetooth Sonar 4G
Who talks to my car? Year 2005~
Who talks to my car? Bluetooth, Wifi Year 2015~
Who talks to my car? OTA Cloud RF,BLE Year 2025~
What does it imply?
Changes CAN Bus Ethernet Mechanical Engineer Software Developer
New Demands Vehicle Clouds Growing IT Department Tons of Infosec Jobs
Some Terminology Original Equipment Manufacturer (OEM)
Some Terminology Electronic Control Unit (ECU) Door Info Engine Radio Gateway Nav Airbag Body ABS Door Diag
Some Terminology Infotainment (Information + Entertainment)
Progress Bar • Who We Are • Automotive Past & Future • Connected Technologies • Centralized Management
The new fashion in vehicle IoT are “Aftermarket Solutions” Which are also the solution for hackers
Aftermarket Solutions Chainway TSP Viper Smart Start Samsung MYCAR Vinli OBD-II Drone Mobile Engie
Hacking the: Server, Phone, Dongle -> Dongle Server Hacking the car
Keyless Entry =< Car Sharing
By Continental https://www.youtube.com/watch?v=vdnrr5i4naE
Car2Go App MYCAR App - Found by Jmaxxz
The Bluetooth Problem Hell2CAP (Cymotive) Infotainment, CVE-2018-20378 Dongles, Keys are all KNOB (SUTD) Bluetooth connected CVE-2019-9506 BleedingBit (Armis) CVE-2018-16986 CVE-2018-7080
Hell2CAP Found by Barak Caspi at Cymotive State machine bug in BlueSDK L2CAP (~100 Million Devices) We Are Here
L2CAP Channel Multiplexing PSM – “Protocol ID” L2CAP_Connect(PSM=0x1)
L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41)
L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41) L2CAP_ConfReq(DCID=0x41, …)
L2CAP Configuration Can config: MTU, Timeout and more Minimal Bluetooth MTU is 48 - Bluetooth Specification Version 3.0 + HS [Vol 3]
L2CAP Configuration Save MTU Pseudo code Set Invalid Check Size On Fail
L2CAP Configuration Connect Channel 0x41 Valid – Yes MTU – 0x500
L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x200) Valid – Yes MTU – 0x200 L2CAP_ConfResp(DCID=0x41, SUCCESS)
L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x10) Valid – No MTU – 0x10 L2CAP_ConfResp(DCID=0x41, INVALID)
Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid?
Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid? ConfigRequest Channel Invalid. Channel Valid ConfigRequest (FlushTimeout (MTU = 20) ch.MTU = 20 ch.MTU = 20 = 0x1337)
Hell2CAP On upper layer – SDP there is fragmentation code MTU from L2CAP, we control it
Hell2CAP On upper layer – SDP there is fragmentation code MTU = 48 -> availableSizeForFragment = 48 – 9 = 39 MTU = 8 -> availableSizeForFragment = 8 – 9 = 0xFFFF Integer underflow
Hell2CAP Set Low Integer Buffer Profit MTU Underflow Overflow
The problem with Bluetooth is that it is not the only problem V2X
V2X – Vehicle to X
By Autotalks https://www.youtube.com/watch?v=RRDiDPnv_b4
V2X payload is ASN.1 based
A fake V2X module could Create Force Generate False Emergency False Alarms Traffic Breaks
Charging Evolution
Charging PLC EVSE – Electric Vehicle Supply Equipment PEV – Plug-in Electric Vehicle EVSE PEV
Charging PLC PLC – Power Line Communication EVSE PEV
XML- Charging Protocol Stack EXI V2GTP TLS SDP Vendor SLAC UDP TCP Specific HPGP IPv6 Wired / Ethernet
XML- XML Parsers Vulns EXI V2GTP Header Edge Cases TLS SDP Vendor SLAC UDP TCP Specific HPGP IPv6 Wired / Ethernet
XML- XML Parsers Vulns EXI V2GTP Header Edge Cases TLS SDP Vendor SLAC UDP TCP VxWorks TCP/IP Stack CVEs by Specific Armis Labs URGENT/11 (19.7.2019): HPGP IPv6 IP RCE: CVE-2019-12256 TCP RCE: CVE-2019-12255, CVE-2019-12260, CVE-2019- Wired / Ethernet 12261, CVE-2019-12263
EVSE! Use Buffer Overflow!
Hackers Benefits Charge your credit card and not your car Hack other ECUs from PEV PEV EVSE
Progress Bar • Who I Am • Automotive Past & Future • Connected Technologies • Centralized Management
Hackers Benefits Vehicle EVSEs are Clouds all cloud connected
The Magical The Vehicle Place Where Everything Is Cloud Possible (For a Hacker)
The Vehicle Cloud Juicy Stuff Normal Stuff Private Information GPS Coordinates Credit Cards Remote Unlock OEM Secrets OTA Updates
The Vehicle Futuristic Stuff Cloud Centralized Control for Shared Transportation Next-Gen Police The cloud is the limit…
OTA – Over The Air Most modern cars receive software updates with 4G connection to the OEM servers
The Vehicle Cloud Update Update Update Update Update
The Vehicle Cloud Update Update Update Update Update
ST STOP! OP! Pay 5000$ to unlock this car
4/11/2019
The bright side OEMs invest Connected immense efforts autonomous in cyber security would be really great
TL;DR Risks Opportunities Everything Is Connected Less Accidents New Attack Vectors – Life Changing BT, Wifi, NFC, V2X, PLC Technologies
Ask Me Anything Lior.yaari@cymotive.com Lior@imperium-sec.com Twitter: @lior_yaari
Hell2CAP Found by Barak Caspi at Cymotive State machine bug in BlueSDK L2CAP (~100 Million Devices) We Are Here
L2CAP Channel Multiplexing PSM – “Protocol ID” L2CAP_Connect(PSM=0x1)
L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41)
L2CAP Channel Multiplexing PSM – “Protocol ID” DCID – channel identifier L2CAP_Connect(PSM=0x1) L2CAP_ConnectResp(DCID=0x41) L2CAP_ConfReq(DCID=0x41, …)
L2CAP Configuration Can config: MTU, Timeout and more Minimal Bluetooth MTU is 48 - Bluetooth Specification Version 3.0 + HS [Vol 3]
L2CAP Configuration Save MTU Pseudo code Set Invalid Check Size On Fail
L2CAP Configuration Connect Channel 0x41 Valid – Yes MTU – 0x500
L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x200) Valid – Yes MTU – 0x200 L2CAP_ConfResp(DCID=0x41, SUCCESS)
L2CAP Configuration Connect L2CAP_ConfReq(DCID=0x41, Channel 0x41 MTU=0x10) Valid – No MTU – 0x10 L2CAP_ConfResp(DCID=0x41, INVALID)
Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid?
Hell2CAP Red flag – Values is stored (4) than checked (5) Can we restore channel to be valid? ConfigRequest Channel Invalid. Channel Valid ConfigRequest (FlushTimeout (MTU = 20) ch.MTU = 20 ch.MTU = 20 = 0x1337)
Hell2CAP On upper layer – SDP there is fragmentation code MTU from L2CAP, we control it
Hell2CAP On upper layer – SDP there is fragmentation code MTU = 48 -> availableSizeForFragment = 48 – 9 = 39 MTU = 8 -> availableSizeForFragment = 8 – 9 = 0xFFFF Integer underflow
Hell2CAP Set Low Integer Buffer Profit MTU Underflow Overflow
Ask Me Anything Lior.yaari@cymotive.com Lior@imperium-sec.com Twitter: @lior_yaari
Recommend
More recommend
